Skip to main content

Apache Camel CVE-2026-46587

| EUVDEUVD-2026-41865 HIGH
Improper Input Validation (CWE-20)
2026-07-06 apache GHSA-46jf-c9vx-hh79
7.3
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

Vendor-assigned network, unauthenticated, low-complexity path with bounded Low impact retained absent any description detail contradicting AV:N/PR:N, though component specifics are unverifiable.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Jul 06, 2026 - 19:39 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 19:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 19:22 NVD
7.3 (HIGH)
Analysis Generated
Jul 06, 2026 - 11:00 vuln.today

DescriptionCVE.org

Improper Input Validation vulnerability in Apache Camel.

This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0.

Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.

AnalysisAI

Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed Camel route
Exploit
Send crafted malformed input
Execution
Bypass improper input validation
Impact
Disclose limited data or disrupt processing

Vulnerability AssessmentAI

Exploitation The precondition is that a vulnerable Apache Camel route or component in an affected version (≤4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.0) is reachable and processes attacker-supplied input - the CVSS vector (AV:N/PR:N/UI:N/AC:L) implies remote, unauthenticated exploitation with no user interaction against such an endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and internally consistent but thin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends crafted, malformed input to a network-exposed Apache Camel route or component that fails to validate it, causing the framework to disclose limited information or mis-handle the message, consistent with the low confidentiality/integrity/availability impact in the CVSS vector. The AV:N/AC:L/PR:N/UI:N profile implies this can be attempted remotely without authentication or user interaction. …
Remediation Vendor-released patch: upgrade to Apache Camel 4.14.8 (for the 4.14.x and earlier line), 4.18.3 (for the 4.15.0-4.18.2 line), or 4.21.0 (for the 4.19.0-4.20.0 line), matching the fixed release to your current branch as documented in the Apache advisory at https://camel.apache.org/security/CVE-2026-46587.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Enumerate all systems running Apache Camel and document installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33453 CRITICAL POC
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40858 HIGH POC
8.8 Apr 27

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In

CVE-2026-47323 CRITICAL
9.8 May 19

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy im

CVE-2026-33454 CRITICAL
9.4 Apr 27

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the

CVE-2026-46590 HIGH
8.8 Jul 06

Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and

CVE-2026-27172 HIGH
8.8 Apr 27

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C

CVE-2026-46591 HIGH
8.2 Jul 06

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat

CVE-2026-43865 HIGH
8.1 Jul 06

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca

CVE-2026-40859 HIGH
8.1 Jul 06

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p

CVE-2026-42527 HIGH
8.1 Jul 06

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern b

CVE-2026-46457 HIGH
7.5 Jul 06

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS c

CVE-2026-46592 HIGH
7.5 Jul 06

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0

Share

CVE-2026-46587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy